diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-22 21:44:12 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-22 21:44:12 +0300 |
commit | 34d6370bacdf1849de3618f23faaa9de76612e31 (patch) | |
tree | 1420e018fea4068504d059141212502e6f9ac040 /spec | |
parent | 727b75d3e8ecb88c70edbb017f29a8da302656c0 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-0-stable-eev16.0.1
Diffstat (limited to 'spec')
4 files changed, 70 insertions, 0 deletions
diff --git a/spec/requests/groups/uploads_controller_spec.rb b/spec/requests/groups/uploads_controller_spec.rb new file mode 100644 index 00000000000..8a9e3edbe20 --- /dev/null +++ b/spec/requests/groups/uploads_controller_spec.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Groups::UploadsController, feature_category: :shared do + include WorkhorseHelpers + + it_behaves_like 'uploads actions' do + let_it_be(:model) { create(:group, :public) } + let_it_be(:upload) { create(:upload, :namespace_upload, :with_file, model: model) } + + let(:show_path) { show_group_uploads_path(model, upload.secret, File.basename(upload.path)) } + end +end diff --git a/spec/requests/projects/uploads_controller_spec.rb b/spec/requests/projects/uploads_controller_spec.rb new file mode 100644 index 00000000000..03b53143c84 --- /dev/null +++ b/spec/requests/projects/uploads_controller_spec.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Projects::UploadsController, feature_category: :shared do + include WorkhorseHelpers + + it_behaves_like 'uploads actions' do + let_it_be(:model) { create(:project, :public) } + let_it_be(:upload) { create(:upload, :issuable_upload, :with_file, model: model) } + + let(:show_path) { show_project_uploads_path(model, upload.secret, File.basename(upload.path)) } + end +end diff --git a/spec/requests/uploads_controller_spec.rb b/spec/requests/uploads_controller_spec.rb new file mode 100644 index 00000000000..1e6999982a8 --- /dev/null +++ b/spec/requests/uploads_controller_spec.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe UploadsController, feature_category: :shared do + include WorkhorseHelpers + + it_behaves_like 'uploads actions' do + let_it_be(:model) { create(:personal_snippet, :public) } + let_it_be(:upload) { create(:upload, :personal_snippet_upload, :with_file, model: model) } + + # See config/routes/uploads.rb + let(:show_path) do + "/uploads/-/system/#{model.model_name.singular}/#{model.to_param}/#{upload.secret}/#{File.basename(upload.path)}" + end + end +end diff --git a/spec/support/shared_examples/requests/uploads_actions_shared_examples.rb b/spec/support/shared_examples/requests/uploads_actions_shared_examples.rb new file mode 100644 index 00000000000..41613fa9871 --- /dev/null +++ b/spec/support/shared_examples/requests/uploads_actions_shared_examples.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +RSpec.shared_examples 'uploads actions' do + describe "GET #show" do + context 'with file traversal in filename parameter' do + # Uploads in tests are stored in directories like: + # tmp/tests/public/uploads/@hashed/AB/CD/ABCD/SECRET + let(:filename) { "../../../../../../../../../Gemfile.lock" } + let(:escaped_filename) { CGI.escape filename } + + it 'responds with status 400' do + # Check files do indeed exists + upload_absolute_path = Pathname(upload.absolute_path) + expect(upload_absolute_path).to be_exist + attacked_file_path = upload_absolute_path.dirname.join(filename) + expect(attacked_file_path).to be_exist + + # Need to escape, otherwise we get `ActionController::UrlGenerationError Exception: No route matches` + get show_path.sub(File.basename(upload.path), escaped_filename) + + expect(response).to have_gitlab_http_status(:bad_request) + end + end + end +end |